Sensitive Data Exposure in Elasticsearch Logging Provider by Apache
CVE-2026-41018

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Airflow Providers Elastic
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-41018?

The Elasticsearch logging provider from Apache is subject to a vulnerability where, if configured with a host URL that includes embedded credentials (e.g., https://user:password@server.example.com:9200), it will log the complete host URL in task logs. This potentially allows any user able to read those task logs to extract sensitive backend credentials. To mitigate this risk, users are encouraged to upgrade to version 6.5.3 or later and to use a secret backend to manage credentials instead of embedding them in the host URL.

Affected Version(s)

Apache Airflow Providers Elasticsearch 0 < 6.5.3

References

https://github.com/apache/airflow/pull/65349

patch

https://lists.apache.org/thread/wz5l58drprmwlv6jxnq466x24...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Apr 16, 2026

Credit

Aleksandr Sozinov

Jarek Potiuk

CVE-2026-41018 Data

JSON